Defence | Security | Safety 2018

“So, would you mind if we pinged your mobile?” he asked. I had no idea what my German colleague was talking about, so my off-hand reply was “fill your boots, ping away!” The next morning, however, I received a call from Berlin, telling me they had indeed pinged me, and pinpointed me just outside Russell, Ontario – where I live. It only required my mobile phone number and the vulnerability in the SS7 system of my major Canadian mobile phone provider for someone in Germany to track my location just outside Ottawa.

This story was recounted by Francis Bleeker, principal at Malmaison Advisers & Company. As the Canadian distributor of GSMK, a supplier of mobile phone and network security solutions – he had just witnessed how prevalent (and easy) phone monitoring has become.

The realization that, as we rely increasingly on automated systems and mobile communications in government, industry and our critical infrastructure, we are more vulnerable, because the sector dedicated to hacking into it is growing apace. This is causing people in positions of responsibility in government as well as industry big headaches.

To date, we have been spared serious incidents (as far as they have become public, that is), but it's time to close the proverbial barn door.

People are inundated with alarming news about leaks and hacks of critical data and personal information, alleged foreign meddling – and they demand to know what government and industry are doing about it. But how seriously do they take it? A loss of Optimum Points is annoying but surmountable, the next hack could be on a vastly different scale.

In April 2017, CBC reported the presence of rogue base stations in Ottawa. The publicity then died down for a few months, until a CBC investigation team hacked a federal MP's phone. With his Party's consent, a member of Parliament allowed his phone to be hacked from overseas. By “allowed” we mean he shared his publicly-available cellphone number for the purposes of finding out how easily it could be tracked from afar. Using only the cellphone number, cybersecurity experts in Germany proved they were able to intercept his communications and track his movements – thereby highlighting the weakness in the SS7/Diameter system that GSMK had so poignantly demonstrated to Bleeker earlier that year.

In March 2018 the Department of Homeland Security had to admit in a letter to a U.S. senator the presence of rogue base stations in Washington, DC – but that’s not news; rogue base stations have been detected in many other cities around the world.

Hacked phones allow for the interception of voice and data communication, diversion of calls, injection of malware, tracking and even denial of service.

Government and industry are understandably cagey about actual hacks, but the incidents that have become public raise great concern. It doesn’t take much imagination to realize that a city like Ottawa – with its parliament, government departments and foreign embassies – is a prime target, but so are financial and business centres like Montreal, Calgary or Toronto. When Canada hosts conferences of a sensitive nature, such as a G7 Conference, that will certainly attract unwanted curiosity.

Canadian embassies, troops deployed overseas, and navy ships during port visits can also be easily targeted. It is common knowledge that Ukrainian soldiers have received bone-chilling text messages after their phone identifiers had been harvested with rogue base stations, the so-called IMSI catchers (devices that disguise themselves as legitimate cell tower base stations in order to intercept communications).

What is a rogue base station?
Tactical interception is often done by means of rogue base stations. IMSI catchers allow for over-the-air interception of calls and messages, injection of spyware into unprotected cellular phones, tracking and identification of phones for targeted attacks later. Mobile phones continuously search for the best connection, and rogue IMSI catchers or base stations will offer themselves for connection pretending to be a network tower. Once connected to the fake base station, identifying information on the phone will be harvested and exploited – leading to the real time interception of voice and data communication, injection of malware, and physical tracking. Most law enforcement agencies use spectrum analysers to identify rogue IMSI catchers, which is like looking for a needle in a haystack. GSMK’s Overwatch system, however, monitors complete areas 24/7 and gives an alert and provides its location the instant an IMSI catcher is activated. Overwatch can be installed permanently around a city centre or temporarily around a conference centre, a base, or a moored ship. The tactical version does not require specialized personnel to deploy, and monitoring can be done remotely at an operations centre. Bleeker says he is happy to organize a Proof of Concept on request.

Interception reaches new levels
The remote tracking and interception of mobile phones is the result of a well-documented weakness in mobile networks’ SS7/Diameter system around the world. The tracking of the Canadian Member of Parliament and the pinging’ of Bleeker’s mobile phone was possible because of this existing vulnerability. Network-based interception is used for strategic interception of target phones. It is usually done remotely from abroad, exploiting vulnerabilities of the phone network’s SS7 signalling infrastructure and network hardware components. Modern intelligence systems have brought this interception to a whole new level as they allow for automated analysis of phone conversations, and can extract information of value out of millions of phone calls. The sad result is that this “remote espionage is more efficient than ever, without the necessity of being close to the target,” says Bleeker.

Malmaison / GSMK’s comprehensive signalling network vulnerability assessment can help protect core networks’ Achilles heels against subscriber privacy violations, illegal interception of calls, messages and data theft, billing fraud, denial of service, network settings manipulation and offers further network tests. GSMK has an impressive track record in SS7 vulnerability testing and consulting around the world. Based on its expertise in building secure systems, plus an in-depth understanding of SS7 protocol particularities, GSMK developed the Oversight Detect program – a comprehensive intrusion detection system that can identify protocol violations and/or misuse by fraudsters and other unauthorized foreign or domestic entities alike. Using high-performance real-time analysis as well as a state of the art monitoring rule set with automatic updates, Oversight Detect permits network operators to identify and report threats. The passive system is complemented by Oversight Protect system (a SS7 firewall that uses the same analysis engine as Oversight Detect). Oversight Protect is an active system that can automatically block illegal traffic at each SS7 Signal Transfer Point, thus preventing such traffic from penetrating the core network.

Multi-pronged Solution
GSMK’s suite of products is further complemented by a range of high-end encrypted phones that will also warn against IMSI catchers. The Cryptophones are in the top 5 of the world’s best-protected mobile phones. Bleeker says corporations and government organizations that handle sensitive information are best served with complete systems of desk and mobile Cryptophones. He adds that GSMK welcomes an independent assessment of the encryption of the phones.

Given the solutions available, the Malmaison principal thinks the known loopholes in mobile phone security can be closed by a three-pronged approach. The deployment of Overwatch will detect rogue IMSI catchers and protect designated areas; the utilization of Oversight will protect complete mobile networks and detect hack attempts; and the final piece, for people who handle sensitive information on a daily basis, is the use of Cryptophones.